b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge master into staging-next

Browse source
This commit is contained in:
github-actions[bot] 2022-04-11 06:01:23 +00:00 committed by GitHub
parent 96cbf9e196 5af2704214
commit f79351bacf
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
26 changed files with 491 additions and 125 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
maintainers/maintainer-list.nix
View file

@ -11528,6 +11528,12 @@
githubId = 2770647;
name = "Simon Vandel Sillesen";
};
sir4ur0n = {
email = "sir4ur0n@users.noreply.github.com";
github = "sir4ur0n";
githubId = 1204125;
name = "sir4ur0n";
};
siraben = {
email = "bensiraphob@gmail.com";
matrix = "@siraben:matrix.org";

9
nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
View file

@ -1785,6 +1785,15 @@
should now be used instead.
</para>
</listitem>
<listitem>
<para>
<literal>security.pam.ussh</literal> has been added, which
allows authorizing PAM sessions based on SSH
<emphasis>certificates</emphasis> held within an SSH agent,
using
<link xlink:href="https://github.com/uber/pam-ussh">pam-ussh</link>.
</para>
</listitem>
<listitem>
<para>
The <literal>zrepl</literal> package has been updated from

2
nixos/doc/manual/release-notes/rl-2205.section.md
View file

@ -613,6 +613,8 @@ In addition to numerous new and upgraded packages, this release has the followin
and [services.logrotate.extraConfig](#opt-services.logrotate.extraConfig) will work, but issue deprecation
warnings and [services.logrotate.settings](#opt-services.logrotate.settings) should now be used instead.
- `security.pam.ussh` has been added, which allows authorizing PAM sessions based on SSH _certificates_ held within an SSH agent, using [pam-ussh](https://github.com/uber/pam-ussh).
- The `zrepl` package has been updated from 0.4.0 to 0.5:
- The RPC protocol version was bumped; all zrepl daemons in a setup must be updated and restarted before replication can resume.

109
nixos/modules/security/pam.nix
View file

@ -61,6 +61,19 @@ let
'';
};
usshAuth = mkOption {
default = false;
type = types.bool;
description = ''
If set, users with an SSH certificate containing an authorized principal
in their SSH agent are able to log in. Specific options are controlled
using the <option>security.pam.ussh</option> options.
Note that the <option>security.pam.ussh.enable</option> must also be
set for this option to take effect.
'';
};
yubicoAuth = mkOption {
default = config.security.pam.yubico.enable;
defaultText = literalExpression "config.security.pam.yubico.enable";
@ -475,6 +488,9 @@ let
optionalString cfg.usbAuth ''
auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so
'' +
(let ussh = config.security.pam.ussh; in optionalString (config.security.pam.ussh.enable && cfg.usshAuth) ''
auth ${ussh.control} ${pkgs.pam_ussh}/lib/security/pam_ussh.so ${optionalString (ussh.caFile != null) "ca_file=${ussh.caFile}"} ${optionalString (ussh.authorizedPrincipals != null) "authorized_principals=${ussh.authorizedPrincipals}"} ${optionalString (ussh.authorizedPrincipalsFile != null) "authorized_principals_file=${ussh.authorizedPrincipalsFile}"} ${optionalString (ussh.group != null) "group=${ussh.group}"}
'') +
(let oath = config.security.pam.oath; in optionalString cfg.oathAuth ''
auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}
'') +
@ -927,6 +943,96 @@ in
};
};
security.pam.ussh = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Enables Uber's USSH PAM (<literal>pam-ussh</literal>) module.
This is similar to <literal>pam-ssh-agent</literal>, except that
the presence of a CA-signed SSH key with a valid principal is checked
instead.
Note that this module must both be enabled using this option and on a
per-PAM-service level as well (using <literal>usshAuth</literal>).
More information can be found <link
xlink:href="https://github.com/uber/pam-ussh">here</link>.
'';
};
caFile = mkOption {
default = null;
type = with types; nullOr path;
description = ''
By default <literal>pam-ussh</literal> reads the trusted user CA keys
from <filename>/etc/ssh/trusted_user_ca</filename>.
This should be set the same as your <literal>TrustedUserCAKeys</literal>
option for sshd.
'';
};
authorizedPrincipals = mkOption {
default = null;
type = with types; nullOr commas;
description = ''
Comma-separated list of authorized principals to permit; if the user
presents a certificate with one of these principals, then they will be
authorized.
Note that <literal>pam-ussh</literal> also requires that the certificate
contain a principal matching the user's username. The principals from
this list are in addition to those principals.
Mutually exclusive with <literal>authorizedPrincipalsFile</literal>.
'';
};
authorizedPrincipalsFile = mkOption {
default = null;
type = with types; nullOr path;
description = ''
Path to a list of principals; if the user presents a certificate with
one of these principals, then they will be authorized.
Note that <literal>pam-ussh</literal> also requires that the certificate
contain a principal matching the user's username. The principals from
this file are in addition to those principals.
Mutually exclusive with <literal>authorizedPrincipals</literal>.
'';
};
group = mkOption {
default = null;
type = with types; nullOr str;
description = ''
If set, then the authenticating user must be a member of this group
to use this module.
'';
};
control = mkOption {
default = "sufficient";
type = types.enum [ "required" "requisite" "sufficient" "optional" ];
description = ''
This option sets pam "control".
If you want to have multi factor authentication, use "required".
If you want to use the SSH certificate instead of the regular password,
use "sufficient".
Read
<citerefentry>
<refentrytitle>pam.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry>
for better understanding of this option.
'';
};
};
security.pam.yubico = {
enable = mkOption {
default = false;
@ -1111,6 +1217,9 @@ in
optionalString (isEnabled (cfg: cfg.usbAuth)) ''
mr ${pkgs.pam_usb}/lib/security/pam_usb.so,
'' +
optionalString (isEnabled (cfg: cfg.usshAuth)) ''
mr ${pkgs.pam_ussh}/lib/security/pam_ussh.so,
'' +
optionalString (isEnabled (cfg: cfg.oathAuth)) ''
"mr ${pkgs.oathToolkit}/lib/security/pam_oath.so,
'' +

2
nixos/modules/security/sudo.nix
View file

@ -245,7 +245,7 @@ in
environment.systemPackages = [ sudo ];
security.pam.services.sudo = { sshAgentAuth = true; };
security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; };
environment.etc.sudoers =
{ source =

136
nixos/modules/system/boot/networkd.nix
View file

@ -10,6 +10,36 @@ let
check = {
global = {
sectionNetwork = checkUnitConfig "Network" [
(assertOnlyFields [
"SpeedMeter"
"SpeedMeterIntervalSec"
"ManageForeignRoutingPolicyRules"
"ManageForeignRoutes"
"RouteTable"
])
(assertValueOneOf "SpeedMeter" boolValues)
(assertInt "SpeedMeterIntervalSec")
(assertValueOneOf "ManageForeignRoutingPolicyRules" boolValues)
(assertValueOneOf "ManageForeignRoutes" boolValues)
];
sectionDHCPv4 = checkUnitConfig "DHCPv4" [
(assertOnlyFields [
"DUIDType"
"DUIDRawData"
])
];
sectionDHCPv6 = checkUnitConfig "DHCPv6" [
(assertOnlyFields [
"DUIDType"
"DUIDRawData"
])
];
};
link = {
sectionLink = checkUnitConfig "Link" [
@ -871,6 +901,44 @@ let
};
};
networkdOptions = {
networkConfig = mkOption {
default = {};
example = { SpeedMeter = true; ManageForeignRoutingPolicyRules = false; };
type = types.addCheck (types.attrsOf unitOption) check.global.sectionNetwork;
description = ''
Each attribute in this set specifies an option in the
<literal>[Network]</literal> section of the networkd config.
See <citerefentry><refentrytitle>networkd.conf</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for details.
'';
};
dhcpV4Config = mkOption {
default = {};
example = { DUIDType = "vendor"; };
type = types.addCheck (types.attrsOf unitOption) check.global.sectionDHCPv4;
description = ''
Each attribute in this set specifies an option in the
<literal>[DHCPv4]</literal> section of the networkd config.
See <citerefentry><refentrytitle>networkd.conf</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for details.
'';
};
dhcpV6Config = mkOption {
default = {};
example = { DUIDType = "vendor"; };
type = types.addCheck (types.attrsOf unitOption) check.global.sectionDHCPv6;
description = ''
Each attribute in this set specifies an option in the
<literal>[DHCPv6]</literal> section of the networkd config.
See <citerefentry><refentrytitle>networkd.conf</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for details.
'';
};
};
linkOptions = commonNetworkOptions // {
# overwrite enable option from above
enable = mkOption {
@ -1519,6 +1587,39 @@ let
};
};
networkdConfig = { config, ... }: {
options = {
routeTables = mkOption {
default = {};
example = { foo = 27; };
type = with types; attrsOf int;
description = ''
Defines route table names as an attrset of name to number.
See <citerefentry><refentrytitle>networkd.conf</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for details.
'';
};
addRouteTablesToIPRoute2 = mkOption {
default = true;
example = false;
type = types.bool;
description = ''
If true and routeTables are set, then the specified route tables
will also be installed into /etc/iproute2/rt_tables.
'';
};
};
config = {
networkConfig = optionalAttrs (config.routeTables != { }) {
RouteTable = mapAttrsToList
(name: number: "${name}:${toString number}")
config.routeTables;
};
};
};
commonMatchText = def: optionalString (def.matchConfig != { }) ''
[Match]
${attrsToSection def.matchConfig}
@ -1600,6 +1701,20 @@ let
+ def.extraConfig;
};
renderConfig = def:
{ text = ''
[Network]
${attrsToSection def.networkConfig}
''
+ optionalString (def.dhcpV4Config != { }) ''
[DHCPv4]
${attrsToSection def.dhcpV4Config}
''
+ optionalString (def.dhcpV6Config != { }) ''
[DHCPv6]
${attrsToSection def.dhcpV6Config}
''; };
networkToUnit = name: def:
{ inherit (def) enable;
text = commonMatchText def
@ -1732,6 +1847,12 @@ in
description = "Definition of systemd networks.";
};
systemd.network.config = mkOption {
default = {};
type = with types; submodule [ { options = networkdOptions; } networkdConfig ];
description = "Definition of global systemd network config.";
};
systemd.network.units = mkOption {
description = "Definition of networkd units.";
default = {};
@ -1823,7 +1944,9 @@ in
systemd.services.systemd-networkd = {
wantedBy = [ "multi-user.target" ];
aliases = [ "dbus-org.freedesktop.network1.service" ];
restartTriggers = map (x: x.source) (attrValues unitFiles);
restartTriggers = map (x: x.source) (attrValues unitFiles) ++ [
config.environment.etc."systemd/networkd.conf".source
];
};
systemd.services.systemd-networkd-wait-online = {
@ -1846,6 +1969,17 @@ in
};
};
environment.etc."systemd/networkd.conf" = renderConfig cfg.config;
networking.iproute2 = mkIf (cfg.config.addRouteTablesToIPRoute2 && cfg.config.routeTables != { }) {
enable = mkDefault true;
rttablesExtraConfig = ''
# Extra tables defined in NixOS systemd.networkd.config.routeTables.
${concatStringsSep "\n" (mapAttrsToList (name: number: "${toString number} ${name}") cfg.config.routeTables)}
'';
};
services.resolved.enable = mkDefault true;
})
];

1
nixos/tests/all-tests.nix
View file

@ -398,6 +398,7 @@ in
pam-file-contents = handleTest ./pam/pam-file-contents.nix {};
pam-oath-login = handleTest ./pam/pam-oath-login.nix {};
pam-u2f = handleTest ./pam/pam-u2f.nix {};
pam-ussh = handleTest ./pam/pam-ussh.nix {};
pantalaimon = handleTest ./matrix/pantalaimon.nix {};
pantheon = handleTest ./pantheon.nix {};
paperless-ng = handleTest ./paperless-ng.nix {};

70
nixos/tests/pam/pam-ussh.nix Normal file
View file

@ -0,0 +1,70 @@
import ../make-test-python.nix ({ pkgs, lib, ... }:
let
testOnlySSHCredentials = pkgs.runCommand "pam-ussh-test-ca" {
nativeBuildInputs = [ pkgs.openssh ];
} ''
mkdir $out
ssh-keygen -t ed25519 -N "" -f $out/ca
ssh-keygen -t ed25519 -N "" -f $out/alice
ssh-keygen -s $out/ca -I "alice user key" -n "alice,root" -V 19700101:forever $out/alice.pub
ssh-keygen -t ed25519 -N "" -f $out/bob
ssh-keygen -s $out/ca -I "bob user key" -n "bob" -V 19700101:forever $out/bob.pub
'';
makeTestScript = user: pkgs.writeShellScript "pam-ussh-${user}-test-script" ''
set -euo pipefail
eval $(${pkgs.openssh}/bin/ssh-agent)
mkdir -p $HOME/.ssh
chmod 700 $HOME/.ssh
cp ${testOnlySSHCredentials}/${user}{,.pub,-cert.pub} $HOME/.ssh
chmod 600 $HOME/.ssh/${user}
chmod 644 $HOME/.ssh/${user}{,-cert}.pub
set -x
${pkgs.openssh}/bin/ssh-add $HOME/.ssh/${user}
${pkgs.openssh}/bin/ssh-add -l &>2
exec sudo id -u -n
'';
in {
name = "pam-ussh";
meta.maintainers = with lib.maintainers; [ lukegb ];
machine =
{ ... }:
{
users.users.alice = { isNormalUser = true; extraGroups = [ "wheel" ]; };
users.users.bob = { isNormalUser = true; extraGroups = [ "wheel" ]; };
security.pam.ussh = {
enable = true;
authorizedPrincipals = "root";
caFile = "${testOnlySSHCredentials}/ca.pub";
};
security.sudo = {
enable = true;
extraConfig = ''
Defaults lecture="never"
'';
};
};
testScript =
''
with subtest("alice should be allowed to escalate to root"):
machine.succeed(
'su -c "${makeTestScript "alice"}" -l alice | grep root'
)
with subtest("bob should not be allowed to escalate to root"):
machine.fail(
'su -c "${makeTestScript "bob"}" -l bob | grep root'
)
'';
})

10
nixos/tests/systemd-networkd.nix
View file

@ -8,6 +8,9 @@ let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: {
environment.systemPackages = with pkgs; [ wireguard-tools ];
systemd.network = {
enable = true;
config = {
routeTables.custom = 23;
};
netdevs = {
"90-wg0" = {
netdevConfig = { Kind = "wireguard"; Name = "wg0"; };
@ -39,6 +42,7 @@ let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: {
address = [ "10.0.0.${nodeId}/32" ];
routes = [
{ routeConfig = { Gateway = "10.0.0.${nodeId}"; Destination = "10.0.0.0/24"; }; }
{ routeConfig = { Gateway = "10.0.0.${nodeId}"; Destination = "10.0.0.0/24"; Table = "custom"; }; }
];
};
"30-eth1" = {
@ -87,6 +91,12 @@ testScript = ''
node1.wait_for_unit("systemd-networkd-wait-online.service")
node2.wait_for_unit("systemd-networkd-wait-online.service")
# ================================
# Networkd Config
# ================================
node1.succeed("grep RouteTable=custom:23 /etc/systemd/networkd.conf")
node1.succeed("sudo ip route show table custom | grep '10.0.0.0/24 via 10.0.0.1 dev wg0 proto static'")
# ================================
# Wireguard
# ================================

6
pkgs/applications/networking/cluster/argocd-autopilot/default.nix
View file

@ -2,16 +2,16 @@
buildGoModule rec {
pname = "argocd-autopilot";
version = "0.3.1";
version = "0.3.2";
src = fetchFromGitHub {
owner = "argoproj-labs";
repo = "argocd-autopilot";
rev = "v${version}";
sha256 = "sha256-L8+sb0lGPuc6smOFwijRGFS+oSCxEqB5c1tG55MPlgE=";
sha256 = "sha256-9si2zqYhmAqzhdUWMkfQ/yLeyNcZSAWypvZTbDDrPvA=";
};
vendorSha256 = "sha256-sxPTOao3scTmiVKFyGeWPMzXQz/d0HSVmUYocNGm1vA=";
vendorSha256 = "sha256-UfZCGG24JjPoc5nbX9vPeFCP8YGMNF5oUrdwTC6RpKI=";
proxyVendor = true;

44
pkgs/applications/networking/cluster/terraform-providers/providers.json
View file

@ -40,10 +40,10 @@
"owner": "aliyun",
"provider-source-address": "registry.terraform.io/aliyun/alicloud",
"repo": "terraform-provider-alicloud",
"rev": "v1.162.0",
"sha256": "sha256-xqZv15Tst+7o9HhNu6/bW+a4z7FTkra+MfS8jKrfeNs=",
"vendorSha256": "sha256-RbOf/S0rkbhW0s+/YOqu+BQuE0V4aS2x36Xf+hgBkqY=",
"version": "1.162.0"
"rev": "v1.163.0",
"sha256": "sha256-lSg8jAzQfRc++U6zAhkfbVf/+hIW/1Nov35o6M8mRrw=",
"vendorSha256": "sha256-8dAk23ISxYuYKj5s0W6g93RBW1++NuZEPva5MaNBSyw=",
"version": "1.163.0"
},
"ansible": {
"owner": "nbering",
@ -76,10 +76,10 @@
"owner": "vmware",
"provider-source-address": "registry.terraform.io/vmware/avi",
"repo": "terraform-provider-avi",
"rev": "v21.1.3",
"sha256": "160l9864p73283hc27qaabd3lrh7lm8fyh6k9xlal5isfd9vrm5p",
"vendorSha256": "1hw1xp20nhs4p1q9l887m82456fg5977pm66165gdkczwrq2zr6v",
"version": "21.1.3"
"rev": "v21.1.4",
"sha256": "sha256-6H56TRA3I0CQ9/d8JdP5JNL0u3lpS8YhCvdSM5bxYp8=",
"vendorSha256": "sha256-b0MwGmgugZdmVk7ZVBSCivDQ4n+tLABymH/igo/S1Wc=",
"version": "21.1.4"
},
"aviatrix": {
"owner": "AviatrixSystems",
@ -148,10 +148,10 @@
"owner": "DrFaust92",
"provider-source-address": "registry.terraform.io/DrFaust92/bitbucket",
"repo": "terraform-provider-bitbucket",
"rev": "v2.13.1",
"sha256": "sha256-P/6scAuRMRrACHmEdWjn+W37ptVmVgtj+iTXQDrG+WM=",
"vendorSha256": "sha256-o1CZ4VuGCPALqSIz8KSm1zCwd3r9bR13CRvP7XpVBAM=",
"version": "2.13.1"
"rev": "v2.14.0",
"sha256": "sha256-tF1Q55mxwPU6dziiNzdacNtHvemd9ciQHE2E6een1WY=",
"vendorSha256": "sha256-L8QYz1xgw8ZQjrU33uP18XxNUjImPYATZ02h46G4aXs=",
"version": "2.14.0"
},
"brightbox": {
"owner": "brightbox",
@ -194,10 +194,10 @@
"owner": "cloudflare",
"provider-source-address": "registry.terraform.io/cloudflare/cloudflare",
"repo": "terraform-provider-cloudflare",
"rev": "v3.12.0",
"sha256": "sha256-y2qq0asEnhnOjthLBFxyQjf1N5KNlXXK0eXjT1/vCXg=",
"rev": "v3.12.1",
"sha256": "sha256-8l6+hyjW+N3N5OGj/cviH97EFqouSrnJULk/SXrYCTk=",
"vendorSha256": "sha256-v6fUzYwrYt4rk5LT0LyNd8e9X79r3dwtd3s1QIV/w/s=",
"version": "3.12.0"
"version": "3.12.1"
},
"cloudfoundry": {
"owner": "cloudfoundry-community",
@ -754,10 +754,10 @@
"owner": "vmware",
"provider-source-address": "registry.terraform.io/vmware/nsxt",
"repo": "terraform-provider-nsxt",
"rev": "v3.2.5",
"sha256": "0j5kspfmqxdnvk3sfb476rckkn9fdgpw5haf495901a114wynr2l",
"rev": "v3.2.6",
"sha256": "sha256-1uQMjzqMJ1NQVVCXy5aHrrZ4vDK5s1JqUnLyYf1qLVw=",
"vendorSha256": null,
"version": "3.2.5"
"version": "3.2.6"
},
"null": {
"owner": "hashicorp",
@ -791,10 +791,10 @@
"owner": "okta",
"provider-source-address": "registry.terraform.io/okta/okta",
"repo": "terraform-provider-okta",
"rev": "v3.22.1",
"sha256": "sha256-G1KJJSxJmzFlIUWOs+7htcgp61oWCu+ryCKaIHzxhzw=",
"vendorSha256": "sha256-n7ih8QtapA+xno1twlM2b2XGEesdJdJIPD+QWpmJDVA=",
"version": "3.22.1"
"rev": "v3.23.0",
"sha256": "sha256-azqWTQA4FW79U+GrdCBO4BWA5c+Cce3ELANS2Os5bSs=",
"vendorSha256": "sha256-S4HVfl/PbgpgWFedkWM+EGyYAL5P0cdkLMYL+y+aX8w=",
"version": "3.23.0"
},
"oktaasa": {
"owner": "oktadeveloper",

7
pkgs/development/compilers/gcc/10/default.nix
View file

@ -71,7 +71,12 @@ let majorVersion = "10";
# Obtain latest patch with ../update-mcfgthread-patches.sh
++ optional (!crossStageStatic && targetPlatform.isMinGW) ./Added-mcf-thread-model-support-from-mcfgthread.patch
++ [ ../libsanitizer-no-cyclades.patch ];
++ [ ../libsanitizer-no-cyclades.patch ]
++ optional (buildPlatform.system == "aarch64-darwin" && targetPlatform != buildPlatform) (fetchpatch {
url = "https://raw.githubusercontent.com/richard-vd/musl-cross-make/5e9e87f06fc3220e102c29d3413fbbffa456fcd6/patches/gcc-${version}/0008-darwin-aarch64-self-host-driver.patch";
sha256 = "sha256-XtykrPd5h/tsnjY1wGjzSOJ+AyyNLsfnjuOZ5Ryq9vA=";
});
/* Cross-gcc settings (build == host != target) */
crossMingw = targetPlatform != hostPlatform && targetPlatform.libc == "msvcrt";

2
pkgs/development/libraries/boost/generic.nix
View file

@ -68,7 +68,7 @@ let
else
"$NIX_BUILD_CORES";
needUserConfig = stdenv.hostPlatform != stdenv.buildPlatform || useMpi || stdenv.isDarwin;
needUserConfig = stdenv.hostPlatform != stdenv.buildPlatform || useMpi || (stdenv.isDarwin && enableShared);
b2Args = concatStringsSep " " ([
"--includedir=$dev/include"

4
pkgs/development/libraries/bullet/default.nix
View file

@ -11,13 +11,13 @@
stdenv.mkDerivation rec {
pname = "bullet";
version = "3.22a";
version = "3.22b";
src = fetchFromGitHub {
owner = "bulletphysics";
repo = "bullet3";
rev = version;
sha256 = "sha256-Ng+kg720y69aE0FgTnD60F05zwUX/LzLlImnrODzOuo=";
sha256 = "sha256-hf2b7enh9mziPKFcdU8NwLdhcxhV7Ididf9Bwwa+5/M=";
};
nativeBuildInputs = [ cmake ];

35
pkgs/development/python-modules/apache-beam/default.nix
View file

@ -25,8 +25,6 @@
, pydot
, pyhamcrest
, pymongo
, pytest-timeout
, pytest-xdist
, pytestCheckHook
, python
, pythonAtLeast
@ -43,26 +41,21 @@
buildPythonPackage rec {
pname = "apache-beam";
version = "2.36.0";
version = "2.37.0";
disabled = pythonAtLeast "3.10";
src = fetchFromGitHub {
owner = "apache";
repo = "beam";
rev = "v${version}";
sha256 = "sha256-f+ICbKSwNjkhrTCCZwxbmqZlQ1+dQSTRag1IflWsqYg=";
sha256 = "sha256-FmfTxRLqXUHhhAZIxCRx2+phX0bmU5rIHaftBU4yBJY=";
};
patches = [
./relax-deps.patch
# Fixes https://issues.apache.org/jira/browse/BEAM-9324
./fix-cython.patch
];
# See https://github.com/NixOS/nixpkgs/issues/156957.
postPatch = ''
substituteInPlace setup.py \
--replace "typing-extensions>=3.7.0,<4" "typing-extensions" \
--replace "dill>=0.3.1.1,<0.3.2" "dill" \
--replace "httplib2>=0.8,<0.20.0" "httplib2" \
--replace "pyarrow>=0.15.1,<7.0.0" "pyarrow"
'';
@ -109,8 +102,6 @@ buildPythonPackage rec {
parameterized
psycopg2
pyhamcrest
pytest-timeout
pytest-xdist
pytestCheckHook
pyyaml
requests-mock
@ -123,6 +114,18 @@ buildPythonPackage rec {
preCheck = "cd $out/lib/${python.libPrefix}/site-packages";
disabledTestPaths = [
# Fails with
# _______ ERROR collecting apache_beam/io/external/xlang_jdbcio_it_test.py _______
# apache_beam/io/external/xlang_jdbcio_it_test.py:80: in <module>
# class CrossLanguageJdbcIOTest(unittest.TestCase):
# apache_beam/io/external/xlang_jdbcio_it_test.py:99: in CrossLanguageJdbcIOTest
# container_init: Callable[[], Union[PostgresContainer, MySqlContainer]],
# E NameError: name 'MySqlContainer' is not defined
#
# Test relies on the testcontainers package, which is not currently (as of
# 2022-04-08) available in nixpkgs.
"apache_beam/io/external/xlang_jdbcio_it_test.py"
# These tests depend on the availability of specific servers backends.
"apache_beam/runners/portability/flink_runner_test.py"
"apache_beam/runners/portability/samza_runner_test.py"
@ -136,12 +139,6 @@ buildPythonPackage rec {
# quite elaborate testing infra with containers and multiple
# different runners - I don't expect them to help debugging these
# when running via our (= custom from their PoV) testing infra.
"testBuildListUnpack"
"testBuildTupleUnpack"
"testBuildTupleUnpackWithCall"
"test_convert_bare_types"
"test_incomparable_default"
"test_pardo_type_inference"
"test_with_main_session"
];

41
pkgs/development/python-modules/apache-beam/fix-cython.patch
View file

@ -1,41 +0,0 @@
diff --git a/apache_beam/runners/worker/operations.py b/apache_beam/runners/worker/operations.py
index 3464c5750c..5921c72b90 100644
--- a/apache_beam/runners/worker/operations.py
+++ b/apache_beam/runners/worker/operations.py
@@ -69,18 +69,6 @@ if TYPE_CHECKING:
from apache_beam.runners.worker.statesampler import StateSampler
from apache_beam.transforms.userstate import TimerSpec
-# Allow some "pure mode" declarations.
-try:
- import cython
-except ImportError:
-
- class FakeCython(object):
- @staticmethod
- def cast(type, value):
- return value
-
- globals()['cython'] = FakeCython()
-
_globally_windowed_value = GlobalWindows.windowed_value(None)
_global_window_type = type(_globally_windowed_value.windows[0])
@@ -149,7 +137,7 @@ class ConsumerSet(Receiver):
# type: (WindowedValue) -> None
self.update_counters_start(windowed_value)
for consumer in self.consumers:
- cython.cast(Operation, consumer).process(windowed_value)
+ consumer.process(windowed_value)
self.update_counters_finish()
def try_split(self, fraction_of_remainder):
@@ -345,7 +333,7 @@ class Operation(object):
def output(self, windowed_value, output_index=0):
# type: (WindowedValue, int) -> None
- cython.cast(Receiver, self.receivers[output_index]).receive(windowed_value)
+ self.receivers[output_index].receive(windowed_value)
def add_receiver(self, operation, output_index=0):
# type: (Operation, int) -> None

20
pkgs/development/python-modules/apache-beam/relax-deps.patch
View file

@ -1,20 +0,0 @@
diff --git a/setup.py b/setup.py
index 9429459622..2727b3becb 100644
--- a/setup.py
+++ b/setup.py
@@ -136,12 +136,12 @@ REQUIRED_PACKAGES = [
# version of dill. It is best to use the same version of dill on client and
# server, therefore list of allowed versions is very narrow.
# See: https://github.com/uqfoundation/dill/issues/341.
- 'dill>=0.3.1.1,<0.3.2',
+ 'dill>=0.3.1.1',
'fastavro>=0.21.4,<2',
'grpcio>=1.29.0,<2',
'hdfs>=2.1.0,<3.0.0',
- 'httplib2>=0.8,<0.20.0',
- 'numpy>=1.14.3,<1.21.0',
+ 'httplib2>=0.8',
+ 'numpy>=1.14.3',
'pymongo>=3.8.0,<4.0.0',
'oauth2client>=2.0.1,<5',
'protobuf>=3.12.2,<4',

67
pkgs/os-specific/linux/pam_ussh/default.nix Normal file
View file

@ -0,0 +1,67 @@
{ buildGoModule
, fetchFromGitHub
, pam
, lib
, nixosTests
}:
buildGoModule rec {
pname = "pam_ussh";
version = "unstable-20210615";
src = fetchFromGitHub {
owner = "uber";
repo = "pam-ussh";
rev = "e9524bda90ba19d3b9eb24f49cb63a6a56a19193"; # HEAD as of 2022-03-13
sha256 = "0nb9hpqbghgi3zvq41kabydzyc6ffaaw9b4jkc5jrwn1klpw1xk8";
};
prePatch = ''
cp ${./go.mod} go.mod
'';
overrideModAttrs = (_: {
inherit prePatch;
});
vendorSha256 = "0hjifc3kbwmx7kjn858vi05cwwra6q19cqjfd94k726pwhk37qkw";
buildInputs = [
pam
];
buildPhase = ''
runHook preBuild
if [ -z "$enableParallelBuilding" ]; then
export NIX_BUILD_CORES=1
fi
go build -buildmode=c-shared -o pam_ussh.so -v -p $NIX_BUILD_CORES .
runHook postBuild
'';
checkPhase = ''
runHook preCheck
go test -v -p $NIX_BUILD_CORES .
runHook postCheck
'';
installPhase = ''
runHook preInstall
mkdir -p $out/lib/security
cp pam_ussh.so $out/lib/security
runHook postInstall
'';
passthru.tests = { inherit (nixosTests) pam-ussh; };
meta = with lib; {
homepage = "https://github.com/uber/pam-ussh";
description = "PAM module to authenticate using SSH certificates";
license = licenses.mit;
platforms = platforms.linux;
maintainers = with maintainers; [ lukegb ];
};
}

15
pkgs/os-specific/linux/pam_ussh/go.mod Normal file
View file

@ -0,0 +1,15 @@
module github.com/uber/pam-ussh
go 1.17
require (
github.com/stretchr/testify v1.7.0
golang.org/x/crypto v0.0.0-20220313003712-b769efc7c000
)
require (
github.com/davecgh/go-spew v1.1.0 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
)

4
pkgs/servers/misc/oven-media-engine/default.nix
View file

@ -18,13 +18,13 @@
stdenv.mkDerivation rec {
pname = "oven-media-engine";
version = "0.13.1";
version = "0.13.2";
src = fetchFromGitHub {
owner = "AirenSoft";
repo = "OvenMediaEngine";
rev = "v${version}";
sha256 = "sha256-oWZ+o19bNR7/QuYTquRa3l7GfRLMEdyPtBUOwb2p3jA=";
sha256 = "0lkpidx4r890mcdk9m69j4iahm7qr7w34h11w1nmi132v0rqm0h8";
};
sourceRoot = "source/src";

4
pkgs/tools/audio/abcmidi/default.nix
View file

@ -2,11 +2,11 @@
stdenv.mkDerivation rec {
pname = "abcMIDI";
version = "2022.02.21";
version = "2022.03.20";
src = fetchzip {
url = "https://ifdo.ca/~seymour/runabc/${pname}-${version}.zip";
hash = "sha256-oGGtJhVugqTvXD34Q2f8L5qoYoyyT5JjuBhqh4VYAAo=";
hash = "sha256-4PN4XL9Jx+vcT2QCA6GwomIqP7lRXkyBkRz641tephw=";
};
meta = with lib; {

4
pkgs/tools/misc/chezmoi/default.nix
View file

@ -2,13 +2,13 @@
buildGoModule rec {
pname = "chezmoi";
version = "2.15.0";
version = "2.15.1";
src = fetchFromGitHub {
owner = "twpayne";
repo = "chezmoi";
rev = "v${version}";
sha256 = "sha256-P4ELrDcN6kIpIsKgZJppJv+y+ofnEz7McmGvCijnfQA=";
sha256 = "sha256-spIdY28ZC/+6bwWWwKW7Iu2E2eKD7MeRuxEAMN2e3H8=";
};
vendorSha256 = "sha256-D27a107gjHK4NYkJhZDd0SvhUmmRSl3DX519nglAoPo=";

6
pkgs/tools/nix/alejandra/default.nix
View file

@ -7,16 +7,16 @@
rustPlatform.buildRustPackage rec {
pname = "alejandra";
version = "1.1.0";
version = "1.2.0";
src = fetchFromGitHub {
owner = "kamadorueda";
repo = "alejandra";
rev = version;
sha256 = "sha256-vkFKYnSmhPPXtc3AH7iRtqRRqxhj0o5WySqPT+klDWU=";
sha256 = "sha256-35hEJuMvRswOPKb9lbB9ZuHVe0eJN6WJc4T8Frn0hYQ=";
};
cargoSha256 = "sha256-MsXaanznE4UtZMj54EDq86aJ2t4xT8O5ziTpa/KCwBw=";
cargoSha256 = "sha256-SsIpggbRQPjpCYgCG4sSJ022MmMV4bJJ8UAHcJR74O8=";
passthru.tests = {
version = testVersion { package = alejandra; };

4
pkgs/tools/security/exploitdb/default.nix
View file

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "exploitdb";
version = "2022-03-31";
version = "2022-04-08";
src = fetchFromGitHub {
owner = "offensive-security";
repo = pname;
rev = version;
sha256 = "sha256-T7vPDbB330Uv276+oGnEYK1xGpJCMzzZiQXx4uW1kc4=";
sha256 = "sha256-yZ/4ULiNekedF0wUwowq5wcen52NbIsbSzINhKuStzo=";
};
nativeBuildInputs = [ makeWrapper ];

6
pkgs/tools/text/difftastic/default.nix
View file

@ -2,16 +2,16 @@
rustPlatform.buildRustPackage rec {
pname = "difftastic";
version = "0.25.0";
version = "0.26.0";
src = fetchFromGitHub {
owner = "wilfred";
repo = pname;
rev = version;
sha256 = "sha256-TJMMy1fMwqUMVhztMOlN4yQhW5IF36yahOhDTJ9kadA=";
sha256 = "sha256-bluiRWueb9+UG+8jCwm+Xc483dSvoxwu+HP02I0DZBs=";
};
cargoSha256 = "sha256-crH2SodT+Wy3auk3uli253rIrHyKsibQcYGtpxwbJJQ=";
cargoSha256 = "sha256-nVYPvYt3Sr1VxoXiaFhpiAh+vngklsr6vn1jfBUg4C4=";
meta = with lib; {
description = "A syntax-aware diff";

2
pkgs/top-level/all-packages.nix
View file

@ -23106,6 +23106,8 @@ with pkgs;
pam_usb = callPackage ../os-specific/linux/pam_usb { };
pam_ussh = callPackage ../os-specific/linux/pam_ussh { };
paxctl = callPackage ../os-specific/linux/paxctl { };
paxtest = callPackage ../os-specific/linux/paxtest { };